Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2025-32002
Publication date:
15/05/2025
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier when 'Remote Link3 function' is enabled. If exploited, a remote unauthenticated attacker may execute an arbitrary OS command.
Severity CVSS v4.0: CRITICAL
Last modification:
16/05/2025

CVE-2025-32738
Publication date:
15/05/2025
Missing authentication for critical function issue exists in I-O DATA network attached hard disk 'HDL-T Series' firmware Ver.1.21 and earlier. If exploited, a remote unauthenticated attacker may change the product settings.
Severity CVSS v4.0: MEDIUM
Last modification:
16/05/2025

CVE-2025-4737
Publication date:
15/05/2025
Insufficient encryption vulnerability in the mobile application (com.transsion.aivoiceassistant) may lead to the risk of sensitive information leakage.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-27523
Publication date:
15/05/2025
XXE vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-27524
Publication date:
15/05/2025
Weak encryption vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-27525
Publication date:
15/05/2025
Information Exposure vulnerability in Hitachi JP1/IT Desktop Management 2 - Smart Device Manager on Windows.This issue affects JP1/IT Desktop Management 2 - Smart Device Manager: from 12-00 before 12-00-08, from 11-10 through 11-10-08, from 11-00 through 11-00-05, from 10-50 through 10-50-06.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-48027
Publication date:
15/05/2025
The HttpAuth plugin in pGina.Fork through 3.9.9.12 allows authentication bypass when an adversary controls DNS resolution for pginaloginserver.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-3742
Publication date:
15/05/2025
The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
04/06/2025

CVE-2024-13914
Publication date:
15/05/2025
The File Manager Advanced Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium), via the 'file_manager_advanced' shortcode. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary JavaScript files on the server. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Sites currently using 2.5.4 (file-manager-advanced-shortcode) should be updated to 2.6.0 (advanced-file-manager-pro-premium).
Severity CVSS v4.0: Pending analysis
Last modification:
01/07/2025

CVE-2025-48024
Publication date:
15/05/2025
In BlueWave Checkmate before 2.1, an authenticated regular user can access sensitive application secrets via the /api/v1/settings endpoint.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-3053
Publication date:
15/05/2025
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025

CVE-2025-4591
Publication date:
15/05/2025
The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity CVSS v4.0: Pending analysis
Last modification:
16/05/2025
Subscribe to Vulnerabilities